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Abstract 

Spatiotemporal chaos of a two-dimensional one-way coupled map lattice is 
used for chaotic cryptography. The chaotic outputs of many space units are 
used for encryption simultaneously. This system shows satisfactory crypto- 
graphic properties of high security; fast encryption (decryption) speed; and 
robustness against noise disturbances in communication channel. The over- 
all features of this spatiotemporal chaos based cryptosystem are better than 
chaotic cryptosystems known so far, and also than currently used conventional 

cryptosystems, such as the Advanced Encryption Standard (AES). 
PACS number(s): 05.45.Vx, 05.45.Ra, 43.72.+q 
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In the last ten years of 20th century, secure communication by utilizing chaos synchro- 
nization had attracted much attention due to the hope that the random-like behavior of 
chaos and the sensitivity of chaotic trajectories to initial conditions may provide new cryp- 
tographic methods for hiding private information [1-6]. However, the recent development 
of chaos communication is rather disappointing. Various cryptoanalyses have exposed some 
inherent drawbacks of chaotic cryptosystems, such as low security even with chaotic dynam- 
ics completely hidden [7-10], slow algorithms [7], and weakness in resistance against noise 
disturbances in the transmission channels, which make it difficult to promote the chaos 
communication into practical service. 

On the other hand, conventional cryptography has become a modern science since the 
work of Shannon [11], and recently some standard and effective cryptographic methods have 
been suggested, e.g., for the symmetrical scheme Data Encryption Standard (DES) and 
Advanced Encryption Standard (AES issued in 2000). In particular, the AES algorithm has 
been shown to have a satisfactory trade-off in the overall properties of security, performance, 
and software and hardware realizations, having no counterpart in chaotic cryptosystems until 
now [7,8,12]. 

In our recent paper [13] we have shown that a one-dimensional (ID) coupled map lattice 
may reach very high practical security for chaotic cryptography, which has in the same time 
fairly fast encryption and relatively short synchronization time in comparison with other 
currently known chaos-based encryption methods. However, the overall properties of the 
system of [13] are still not as good as AES: its encryption speed is slower (2 to 3 times) 
than AES, and its avalanche effect is larger (3 to 4 times) than AES (i.e., its robustness 
against channel noise is weaker than AES). In order that a chaos-based encryption method 
can stand up as a new and useful cryptographic technique, it must show its significant 
advantages over conventional secure communication methods, and this is the task of the 
present communication. 

In this paper, we propose a 2D coupled map lattice for spatiotemporal chaotic cryp- 
tography. The most significant point is that we are able to use a large number of chaotic 
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sequences generated by different sites to encode (decode) plaintexts simultaneously [4] , and 

thus the efficiency of cryptography can be greatly enhanced. Moreover, we can choose proper 

coupling structure and encryption transformation and separate the functions of driving bits 

and pure cipher bits for reaching high security together with satisfactory robustness against 

channel noise. The overall properties of our cryptosystem can be thus incomparably better 

than the chaotic cryptosystems known so far, and be also considerably better than the most 

effective conventional cryptographic methods, like AES. 

We use the following chaotic coupled map lattice for transmitter encryption, 
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where /„'s are the plaintexts assumed to be private, S n (ji,j 2 ) are the ciphertexts transmitted 
in the open channel, and a = (oi,a 2 , ...,a m ) are the adjustable control parameters, serving 
as the secret key. For specific we will, throughout the paper, take parameters h — 26, /i — 
52, v — 32, e = 0.99, m — 3, = 6, and a\ = a 2 = a 3 = 3.9. 

The schematic encoding structure is given in Fig.l. First, we use a ID lattice chain of 
length m — 3, for setting the secret keys a = (01,02,03) in Eq.(la). This arrangement can 
guarantee full sensitivity of the encryption processes to all key parameters on one hand, 
and reduce as much as possible the number of noncipher sites on the other hand. Second, 
following the ID chain is a 2D one-way coupled map lattice of Eqs.(lc) and (Id), producing 
M = 25 chaotic sequences (see the square sites of Fig.l), in parallel for fast encryption. The 
2D structure is for reducing the system length and thus effectively reducing synchronization 
time and the associated error bit avalanche. And the neighbor and next to the neighbor 
coupling structure of Eq.(lc) is for enormously increasing the cost of any inverse analytical 
computation attacks. Third, there are two mod operations Eqs.(lb) and (le) which may 
considerably enhance the sensitivity of chaos synchronization to the key parameter varia- 
tions, and thus reach high practical encryption security [14]. Finally, from the M outputs 
sequences S n (ji,j 2 ), a single arbitrarily chosen sequence [S n (3, 3) in Fig.l] is separated from 
the remaining cipher sequences as the driving sequences in Eq.(la) and Fig.l, and this sepa- 
ration will be shown later of great significance in strengthening the robustness of the system 
against channel noise. With the feed back of the driving in Eq.(la) the encoding system 
turns to be high-dimensional nonautonomous spatiotemporal chaos. 

The decryption transformation of the receiver can be obtained symmetrically by replacing 
x n {j), ^n(0,0), y n (j 1 ,j 2 ), the key a = (ai,o 2 , ...,a m ), with x' n (j), 4(0,0), y' n (ji,j 2 ), and the 
test key b = (bi,b 2 , ...,b m ), respectively. Only one among the M = 25 transmitted signals, 
x' n (0) = S n (3, 3)/2^, serves as the driving signal for the spatiotemporal chaos synchronization 
of the receiver; and decoding operations become 

I' n (jij2) = [S n (jij2) - KU1J2)] mod 2", (2) 
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K(j u32 ) = [mt(Mi,j2) x 2"] mod <? 

Z^are the received plaintexts. By setting b = a, the receiver can realize synchronization to 
the chaotic transmitter, and correctly extract the message as 

y'nihih) =v n {ji,h), K(h,h) = K n {j u j 2 ), (3) 

Now, let us evaluate our cryptosystem in the aspects of performance, security and ro- 
bustness. The first significant point of Eqs.(l) and Eq.(2) is that we fully take the advantage 
of spatiotemporal chaos in the performance. A large number of chaotic sites in the lattice 
network can be used for encryption (decryption) in parallel. For the present parameters, 
we have totally 31 coupled maps, among which 25 chaotic sites can produce ciphertexts si- 
multaneously. Thus, the encryption (decryption) efficiency is extremely high. Specially, we 
can produce 350-Mbit ciphers per second with our 750MHz CPU computer. In comparison, 
for conventional block ciphers, AES can have encryption speed of 96-Mbit, 80- Mbit, and 
66-Mbit ciphers per second for 128-bit, 192-bit, and 256-bit key sizes (for a 600 MHz CPU 
PC) [12], respectively, and for conventional stream ciphers a 32-bit linear feedback shift 
register (LFSR), which has very low security, has encryption speed of 20-Mbits per second 
with our same PC. 

A crucial problem for the scheme of Fig.l is whether M = 25 keystreams can be effec- 
tively used in parallel. A positive answer can be available only if different keystreams are 
practically uncorrelated. In Figs. 2 (a) and 2(b) we plot the mutual correlation 6*24,23 (t) 
(for the definition, see Eq.(3.2) of [4]) and mutual information I(K n (2, 4); K n (2, 3)) = 
H(K n (2,A)) - H(K n (2,A) | K n (2,3)) between two neighbor keystreams K n (2,4) and 
K n (2,3), with H(K n {2,4)) and H(K n (2,4) | K n (2,3)) being information entropy and con- 
ditional entropy, respectively. The behaviors of Fig. 2 are not changed if we take any other 
pais of sites. Thus, all the keystreams produced by different sites are practically indepen- 
dent from each other, and can be satisfactorily used for the parallel encryption (decryption) 
purpose. 
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Second, we evaluate the practical security of the cryptosystem, i.e., the resistance of 
the chaotic system against the plaintext-known and public-structure attacks, by applying 
the error function analysis (EFA) [13]. The error function e(b) can be computed with the 
available information and an arbitrary test key b as 



By varying b any third party may find the basin of e J1 j 2 (b) and locate the key position 
b = a by identifying the minimum error e(b = a) = 0, and then illegally decode any future 
plaintexts. 

In Figs.3(a)-(c) we fix 62 = 63 = 3.9 and plot e(bi) vs b±. e(b±) has a basin around 
its minimum e(bi — a± — 3.9) = 0, and the basin is extremely narrow, showing the high 
sensitivity of e(bi) to key b±. Away from the basin e(&i) has a flat distribution fluctuating 
around its average value. In Fig.3(d) we plot e(bi,b 2 ) in b\-b 2 plane with b 3 = a 3 = 3.9, an 
extremely small e(bi, b 2 ) basin hole is located in the 2D parameter space. The a,j parameter 
region available for spatiotemporal chaos is at least in aj = [3.6,4.0], j = 1,2,3. By 
applying the analysis similar to [13] the volume of the key basin can be estimated from 
Fig. 3 as V < (1CT 12 ) 3 1CT 36 , and the probability to find the key basin by an arbitrary 
test is P < 0.4 -3 x 1(T 36 « 1(T 35 . From the flat distribution of e(b) in Figs.3(a), (b), (d) 
and from the numerous local minima of e(b) in Fig. 3(c) one can hardly find any adaptive 
approach to reveal the e(b) basin more effective than random tests, and the third party has 
to make at least 10 35 tests to find the key basin. This can be done by the currently best 
computer in the world at least for 10 16 years (the estimation can be seen in [13]). 

Apart from the EFA method, there are many other known attack methods in both con- 
ventional and chaotic cryptographies, such as linear and differential attacks [15], nonlinear 
dynamic forecasting attacks [9,10], and so on. All these methods are based on predicting 
plaintexts by revealing the plaintext-induced statistical changes of ciphertexts. We have 
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computed probability distributions of the ciphertexts generated at different sites for various 
plaintexts. It is clearly observed that for essentially different plaintexts the probabilities of 
ciphertexts have the same uniform distributions, and they are not distinguishable from each 
other. Therefore, the above attacks can be hardly practical. Analytic inverse computation 
can also break the security of Eq.(l). A simple evaluation shows that for our system this 
inverse computation requires cost much more than the EFA method. 

Our cryptosystem is better than AES with security in the following two aspects. First, 
with secure key well hidden our system is practically one-time pad cipher, while AES is 
definitely not either with hidden key. Second, our system can easily increase its security 
level, e.g., increasing m by one we can increase the security factor by 10 12 with almost 
no encryption speed reduction. For AES there exists a maximum security level (2 128 for 
given plaintext attack). For further increasing security from this maximum level one has to 
increase the block length, and then considerably decrease the encryption speed. Therefore, 
our system can much easier in resistance against stronger attacks developed by new powerful 
computers, like possible quantum computers. 

The last point to be emphasized is that the cryptographic structure of Eq.(l) makes 
the secure communication robust against channel noise disturbances. All self-synchronizing 
cryptosystems have a disadvantage of error avalanche, i.e., one bit error in ciphertext may 
cause a large number of error bits in the received plaintext due to the finite synchronization 
recovering time, and slower synchronization may cause more serious avalanche effect. In this 
regard, our system has several useful advantages. First, our decoding system takes a strong 
coupling (1— e) = 1CT 2 << I which yields rather small largest Lyapunov exponent, leading to 
quickly damping of any desynchronous disturbances in the receiver. This guarantees short 
synchronization time (26 iterations for our parameter combination) and relatively small 
error avalanche (17 iterations). Second, chaos synchronization between the transmitter and 
the receiver can be realized by using a single driving sequence. Thus, among all M = 
25 transmitted ciphertext sequences, only one sequence is used for driving, i.e., only ^ 
transmitted bits has avalanche problem, and other bit errors do not cause avalanche effect. 

7 



Therefore, in average the avalanche destruction can be considerably reduced. Third and the 
most important, in order to reduce error avalanche people commonly include some additional 
bits for protection of driving signal, that increases the costs of both cryptography and signal 
transmission. In doing so our system has a great advantage of low cost over AES because 
in the latter case one should protect all transmitted bits (each has equal avalanche effect) 
while for the former only the driving signal, i.e., of the total transmitted bits, has the 
avalanche effect and needs to be particularly protected. 

The cryptosystem of Eqs.(l) and (2) with the given parameters has been realized in a 
software experiment for duplex voice transmission by using local university campus network. 
The experimental set is given by Fig. 2 of [13] with cryptosystem replaced by Eqs.(l) and 
(2) of this paper. Experimental dialogue can be performed stably between two phones with 
standard voice quality and standard speaking speed for arbitrarily long time. Moreover, 
we have realized also experimental duplex voice transmission by using normal city phone 
line where channel noise is considerably larger than that of network. In this experiment 
our system works perfectly well with high security ( high sensitivity to the key parameter 
change) and satisfactory robustness against noise. A detailed discussion on this experimental 
set and a detailed experimental comparison between our system and AES will be reported 
soon. 

This work was supported by the National Natural Science Foundation of China under 
10175010 and Nonlinear Science Project. 
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Captions of Figures 

Fig.l A schematic figure of the cryptosystem Eqs.(l) for N = 6, m = 3. All the M = 25 
square sites produce ciphers each 32 bits for an iteration while the other six triangle sites 
not. All the driving and nondriving ciphers are transmitted in a same open channel. 

Fig. 2(a) and (b) The mutual correlation (724,23 (t) [Eq.(3.2) in [4]] and the mutual in- 
formation I(K n (2, 4); K n (2, 3)) between if n (2, 4) and K n (2,3) vs time distance r and sam- 
ple number G, respectively. The behaviors are not changed if we take any other pairs of 
keystreams. 

Fig. 3 (a)-(c) Error function e{b\) given in Eq.(4) plotted vs bi, 62 = &3 = 3.9. (d) e(bi, 62) 
plotted in 61-62 plane, b 3 = 3.9. 
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Fig.l 
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